Snap Store, a centralized application repository for distributing snap packages operated by Canonical, allows developers to publish applications with relatively low barriers to entry, while users can install and update software automatically through a single trusted channel. However, that trust is now under strain.
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher, maintaining nearly 50 snaps with thousands of users, warns of a worrying trend affecting Snap packages. Here’s what it’s all about.
For more than a year, Pope and other security professionals have documented a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
Earlier iterations of the campaign relied on newly created publisher accounts and visually convincing storefront pages. However, according to Pope, the latest shift represents a significant escalation.
Instead of creating new accounts, attackers are now monitoring the Snap Store for publishers whose associated domain names have expired. Once a domain lapses, the attackers register it themselves, trigger a password reset on the Snap Store account tied to that domain, and gain control of an established publisher identity. From there, they can push malicious updates to snaps that users may have trusted and installed years earlier.
Pope has identified at least two publisher domains, and more specifically, storewise.tech and vagueentertainment.com, that were taken over using this method. In both cases, previously benign snaps were updated to include wallet-stealing malware without obvious changes to the publisher’s identity or reputation.
Analysis of the malicious snaps shows a recurring pattern. The applications render a web-based interface that closely resembles legitimate wallet software. On launch, they attempt to contact a remote endpoint to verify network connectivity before proceeding.
If a user submits a recovery phrase, it is immediately transmitted to the attackers’ servers. By the time the deception becomes apparent, wallet contents are typically already gone.
Of course, Canonical has removed reported malicious snaps, but Pope notes that enforcement often lags behind discovery, allowing malicious updates to remain available long enough to affect users.
In the meantime, Snap publishers are advised to keep their domain registrations up to date and enable two-factor authentication. At the same time, users are urged to avoid installing cryptocurrency wallet applications from app stores altogether and instead obtain them directly from official project websites.
